Data leak prevention using user and device contexts

ABSTRACT

Disclosed are various examples for audio data leak prevention using user and device contexts. In some examples, a voice assistant device can be connected to a remote service that provides enterprise data to be audibly emitted by the voice assistant device. In response to a request for the enterprise data being received from the voice assistant device, an audio signal can be generated that audibly broadcasts the enterprise data. The audio signal can be generated to audibly redact at least a portion of the enterprise data based at least in part on a mode of operation of the voice assistant device. The voice assistant device can be directed to emit the enterprise data through a playback of the audio signal.

RELATED APPLICATIONS

Benefit is claimed under 35 U.S.C. 119(a)-(d) to Foreign ApplicationSerial No. 202041000113 filed in India entitled “DATA LEAK PREVENTIONUSING USER AND DEVICE CONTEXTS” on Jan. 2, 2020, by VMWARE, Inc., whichis herein incorporated in its entirety by reference for all purposes.

BACKGROUND

In enterprise settings, individuals can utilize a number of differentservices and applications in order to complete tasks for an enterpriseor other organization. With the proliferation of personal voiceassistants in the enterprise world, employees and other individuals arebeing assigned voice assistant devices, which are frequently used toretrieve enterprise data at their desks, in their offices, andpotentially in public spaces. However, most of the voice abilitiesavailable to these individuals audibly announce email contents,appointments, reminders etc. verbatim without redaction. This can beproblematic when sensitive information is being audibly broadcasted inan insecure environment. For instance, visitors or other non-authorizedindividuals can potentially overhear sensitive information beingvocalized using personal voice assistant devices.

BRIEF DESCRIPTION OF THE DRAWINGS

Many aspects of the present disclosure can be better understood withreference to the following drawings. The components in the drawings arenot necessarily to scale, with emphasis instead being placed uponclearly illustrating the principles of the disclosure. Moreover, in thedrawings, like reference numerals designate corresponding partsthroughout the several views.

FIG. 1 is a drawing of an example of a networked environment, includinga computing environment, client devices, network services, voiceassistant devices, and other components in communication through anetwork.

FIG. 2 is a drawing illustrating an example user interface rendered bythe computing environment for defining settings for a voice assistantdevice.

FIG. 3 is a drawing illustrating functionalities implemented by thecomputing environment using a voice assistant device.

FIG. 4 is a drawing illustrating functionalities implemented by thecomputing environment using a voice assistant device.

FIG. 5 is a flowchart depicting functionalities implemented by thecomputing environment and other components of the networked environment.

FIG. 6 is another flowchart depicting functionalities implemented by thecomputing environment and other components of the networked environment.

FIG. 7 is another flowchart depicting functionalities implemented by thecomputing environment and other components of the networked environment.

FIG. 8 is another flowchart depicting functionalities implemented by thecomputing environment and other components of the networked environment.

DETAILED DESCRIPTION

The present disclosure relates to data leak prevention of enterprisedata on personal voice assistants using user and device contexts. Voiceassistant devices, such as those that react to audible commands tobroadcast news, play music, provide the weather, and other tasks, arebecoming increasingly used in enterprise settings. For instance, manyenterprises are now supplying employees or other individuals with voiceassistant devices. The voice assistant devices are frequently used toaudibly broadcast data at their desks, in their offices, and potentiallyin public spaces. In some instances, the voice assistant devices areused to broadcast enterprise data, which can include confidential orproprietary data, or data that should not be overhead by individuals notassociated with the enterprise, an organizational unit, and so forth.For instance, voice assistant devices are being used to audiblebroadcast emails, calendar entries, and other data that can be overheadby eavesdroppers in the vicinity of a voice assistant device.

Accordingly, in various examples, a computing environment having one ormore computing devices is described, where the computing environment canconnect a voice assistant device to a remote service that providesenterprise data to be audibly emitted by a voice assistant device. Whena request for enterprise data is received from the voice assistantdevice, the computing environment can generate an audio signal thataudibly broadcasts and/or visually displays the enterprise data on thevoice assistant device. Further, in some examples, the computingenvironment can generate the audio signal such that at least a portionof the enterprise data is audibly redacted. In some examples, theportion of the enterprise data is redacted based on a mode of operationof the voice assistant device, which can include one of a multitude ofsecurity modes, as will be described. Ultimately, the computingenvironment can direct the voice assistant device to emit the enterprisedata as redacted through a playback of the audio signal.

To this end, the computing environment can maintain a multitude ofdiffering security modes in association of the voice assistant device ora user thereof. As such, when a request for enterprise data is receivedfrom a voice assistant device, the computing environment can identify anactive one of the security modes and can generate the audio signal basedon policies associated with the active one of the security modes. Theactive one of the security modes, or policies employed by different onesof the security modes, can be determined automatically using user anddevice contexts. With respect to user contexts, in some examples, anelectronic calendar entry can be analyzed to determine whether multipleindividuals are in a vicinity of a voice assistant device and, if so, ahigher security mode of operation can be assigned.

With respect to device context, in some examples, an operator of thevoice assistant device can perform a vocalized command that directs thecomputing environment to change an active one of the security modes toanother one of the security modes. In further examples, the computingenvironment can automatically select one of the security modes to makeactive. For instance, the computing environment can set the voiceassistant device in a data leak prevention (DLP) mode when multipleindividuals are detected within an audible range of the voice assistantdevice, when an analysis of a calendar item indicates that multipleindividuals may be present, and so forth. In further examples, thecomputing environment can select one of the security modes without averbalized command. Instead, the computing environment can select one ofthe security modes based on a sensitivity of the enterprise data to beaudibly broadcasted by the voice assistant device.

The enterprise data can include an email, a calendar item, a reminder,an instant message, a short message service (SMS) message, a combinationthereof, as well as other enterprise data as can be appreciated.Additionally, a portion of the enterprise data can be redacted in theaudio signal by replacing the portion of the enterprise data with apredetermined audio tone, static sound, silence, or other audio signal.

With reference to FIG. 1, an example of a networked environment 100 isshown. The networked environment 100 can include a computing environment103 executing an enterprise data service 106 and a context-aware datagenerator 109, third-party network services 112 executing an audiosignal generator 114, client devices 115, and a voice assistant device118 in communication through a network 121.

The network 121 can include the Internet, intranets, extranets, widearea networks (WANs), local area networks (LANs), wired networks,wireless networks, other suitable networks, or any combination of two ormore such networks. The networks can include satellite networks, cablenetworks, Ethernet networks, telephony networks, and other types ofnetworks. The network 121 includes wide area networks (WANs) and localarea networks (LANs). These networks can include wired or wirelesscomponents or a combination thereof. Wired networks can include Ethernetnetworks, cable networks, fiber optic networks, and telephone networks,such as dial-up, digital subscriber line (DSL), and integrated servicesdigital network (ISDN) networks. Wireless networks can include cellularnetworks, satellite networks, Institute of Electrical and ElectronicEngineers (IEEE) 802.11 wireless networks (e.g., WI-FI®), BLUETOOTH®networks, microwave transmission networks, as well as other networksrelying on radio broadcasts. The network 121 can also include acombination of two or more networks 121. Examples of networks 121 caninclude the Internet, intranets, extranets, virtual private networks(VPNs), and similar networks.

The computing environment 103 executing the enterprise data service 106and the context-aware data generator 109 can include a server computeror any other system providing computing capability. While referred to inthe singular, the computing environment 103 can include a plurality ofcomputing devices that are arranged in one or more server banks,computer banks, or other arrangements. The computing devices of thecomputing environment 103 can be located in a single installation or canbe distributed among many different geographical locations local and/orremote from the other components.

The computing environment 103 can include a grid computing resource orany other distributed computing arrangement. The computing environment103 can also include, or be operated as, one or more virtualizedcomputer instances. For purposes of convenience, the computingenvironment 103 is referred to herein in the singular. The componentsexecuted on the computing environment 103 can include the enterprisedata service 106 and the context-aware data generator 109, as well asother applications, services, processes, systems, engines, orfunctionality not discussed in detail herein.

The enterprise data service 106 can serve up enterprise data 130 a . . .130 c, such as email data, calendar data, reminder data, messaging data,document data, as well as other data, to individuals on their respectiveclient devices 115. To this end, the enterprise data service 106 can beutilized by one or more enterprises, units thereof, or otherorganizations. In some examples, the enterprise data service 106 canprovide virtualized computing resources, such as virtual machines, thatprovide virtual desktops on the client devices 115. Accordingly, theenterprise data service 106 can permit individuals to access enterpriseapplications from anywhere, or on various types of client device 115.The enterprise data service 106 can be part of a local network, trustednetwork, or intranet, which can be separate from the other components ofthe networked environment 103 in various examples.

The enterprise data service 106 can serve up enterprise data 130directly to client devices 115 or through a proxy service. In someexamples, however, the enterprise data service 106 can provideenterprise data 130 through a voice assistant device applicationprogramming interface 133. For instance, a user of a voice assistantdevice 118 can vocalize a command to the voice assistant device 118 thatcauses the voice assistant device 118 to generate and send a request forenterprise data 130. In one example, an employee of an enterprise canaudibly state, “Device, what are my appointments for the day?” or“Device, please read my new emails.” The voice assistant device 118 canthus send audio data captured by a microphone of the voice assistantdevice 118 to a third-party network service 112 which, in turn,translates the audio data into a request for enterprise data 130 to besent to the voice assistant device application programming interface133. Referring to the example above, the enterprise data service 106 canaccess an electronic calendar to identify appointments for the day, orcan access new emails. When the enterprise data 130 is provided to thethird-party network service 112, the audio signal generator 114 cangenerate an audio signal that, when played back on the voice assistantdevice 118, broadcasts the enterprise data 130 as provided to thethird-party network service 112.

The enterprise data service 106 can include authentication functionalityin some examples, which can include retrieving, caching, storing, andvalidating authentication data 136. The authentication data 136 can beused to determine whether the voice assistant device 118 and/or a userof the voice assistant device 118 has sufficient privileges to accessenterprise data 130. In some examples, a user of the voice assistantdevice 118 must enroll the voice assistant device 118 with theenterprise data service 108, using a client device 115 for instance,prior to accessing enterprise data 130 on the voice assistant device118. For example, a user can use the client device 115 to provide aunique identifier for the voice assistant device 118 as well asauthentication data 136, such as a username, email, password, biometricdata, or other information.

If authentication is successfully performed using the authenticationdata 136, the enterprise data service 106 can connect or otherwiseassociate the voice assistant device 118 with a user account 139 basedon the authentication data 136 provided. For instance, the uniqueidentifier of the voice assistant device 118 can be stored in a databasein associated with the user account 139. As such, the enterprise dataservice 106 can serve up any enterprise data 130 associated with theuser account 139, such as emails, calendar items, spreadsheet data, wordprocessing document data, and other data as can be appreciated.

The computing environment 103 can include a data store 140, which caninclude any storage device or medium that can contain, store, ormaintain the instructions, logic, or applications described herein foruse by or in connection with the computing environment 103. The datastore 140 can be a hard drive or disk of a host, server computer, or anyother system providing storage capability. In some examples, the datastore 140 can include a network storage service, for instance, providedby the third-party network service 112. While referred to in thesingular, the data store 140 can include a plurality of storage devicesthat are arranged in one or more hosts, server banks, computer banks, orother arrangements. The data store 140 can include any one of manyphysical media, such as magnetic, optical, or semiconductor media. Otherexamples include solid-state drives or flash memory.

The data store 140 can include memory of the computing environment 103,mass storage resources of the computing environment 103, or any otherstorage resources on which data can be stored by the computingenvironment 103. The data stored in the data store 140 can include, forexample, enterprise data 130, authentication data 136, user accounts139, as well as whitelist data 143, blacklist data 146, security modedata 149, and other data. User accounts 139 can include data associatedwith employees of the enterprise or other individuals having access toenterprise data 130. As such, the user accounts 139 can include datasuch as email address, organizational unit, first name, middle name,last name, authentication data 136, device identifiers for connectedvoice assistant devices 118 and/or client devices 115, as well as otherdata. Security mode data 149 can include data associated with securitymodes of the voice assistant devices 118 as well as policies associatedtherewith. Policies can include criteria that, when met, causesenterprise data 130 to be audibly redacted.

For instance, as it is undesirable for the voice assistant device 118 toaudibly broadcast sensitive enterprise data 130, in some examples, thecontext-aware data generator 109 can redact certain words, phrases, orother portion of the enterprise data 130 to be broadcasted by the voiceassistance device 118. As such, in some examples, an administrator of anenterprise, or a user, can define certain words, phrases, regularexpressions, or other content as whitelist data 143, indicating that thecontent is permitted to be audibly broadcasted by the voice assistantdevice 118. Conversely, in some examples, the administrator of theenterprise, or the user, can define certain words, phrases, regularexpressions, or other content as blacklist data 146, indicating that thecontent is not permitted to be audibly broadcasted by the voiceassistant device. In some examples, the whitelist data 134 and/or theblacklist data 146 can include a list of keywords, clients, or otherfilters that can be used by the context-aware data generator 109 todetermine whether to permit or deny inclusion of a word, phrase, orother content based on a currently active security mode of the voiceassistant device 118.

In some examples, a user of the voice assistant device 118 can create acustom security mode by providing different filters for the customsecurity mode. For instance, a user can set filters for terms deemedconfidential, such as sales figures, email addresses, phone numbers,names of clients, and so forth. Based on a security mode made active onthe voice assistant device 118, particular words matching the filtercriteria can either be skipped or redacted when the voice assistantdevice 118 reads out the emails, calendar items, etc. In a more securemode, emails or calendar items containing such confidential words can beskipped such that the voice assistant device 118 does not audiblybroadcast any data associated with the emails, calendar items, or otherenterprise data 130.

In some examples, the computing environment 103 can change an active oneof the security modes on a voice assistant device 118, for instance,based on user or device contexts. For example, if multiple persons areidentified in a vicinity of a voice assistant device 118, the computingenvironment 103 can ensure that an active one of the security modesprevents the dissemination of sensitive materials. In another example,if the enterprise data 130 to be played back on the voice assistantdevice 118 uses one or more predefined terms, such as “confidential,”“privileged,” “proprietary,” or other customizable word or phrase, thecomputing environment 103 can automatically change the security mode ofthe voice assistant device 118 to one in which sensitive enterprise data130 is subject to redaction policies.

The security mode data 149 can include data associated with one or moresecurity modes of the voice assistant device 118. For instance, a firstone of the security modes can be made active to abstain from redactingany content to be audibly broadcasted by the voice assistant device 118.A second one of the security modes, however, can be made active toredact content to be audibly broadcasted by the voice assistant device118, for instance, based on the whitelist data 143, the blacklist data146, or other sensitivity levels associated with the content. Differentsecurity modes can be more restrictive on the enterprise data 130permitted for dissemination, as can be appreciated. The data stored inthe data store 140 can be associated with the operation of the variousapplications and/or functional entities described.

The third-party network services 112 can include web applications, webservices, or other network facing applications. One or more third-partynetwork services 112 can be provided by the same provider or bydifferent providers. The third-party network services 112 can includeone or more network services offered by a manufacturer of the voiceassistant device 118 in some examples. Also, the third-party networkservices 112 can include an audio signal generator 114 that generatesaudio signals, such as audio files, to be broadcasted on voiceassistance devices 118. In other examples, the computing environment 103provides enterprise data 130 to the audio signal generator 114 which, inturn, generates an audio signal that audibly broadcasts the enterprisedata 130 as provided. In some examples, the third-party network service112 can provide user interface data or other network content to presenton a display of the voice assistant device 118, assuming the voiceassistant device 118 is a device having a display.

The third-party network services 112 can receive audio-video datarequests 175 from the voice assistant devices 118, and provideaudio-video data 177 based on the audio-video data requests 175. Theaudio-video can include an audio signal to be emitted by a speaker 178of the voice assistant device 118 in some examples, or can include userinterface data or media data, such as video data, to be shown on adisplay 179 of the voice assistant device 118.

It is understood that, in some examples, the voice assistant device 118does not include a display 179, and merely includes a microphone 180(and potentially one or more buttons) as an input interface device and aspeaker 178 as an output interface device. However, in other examples,the voice assistant device 118 may include a display 179 for rendering auser interface or other media thereon.

The voice assistant device 118 can further include processing circuitry181 that can cause an audio signal to be broadcast over the speaker 178,or can cause a user interface or video to be rendered on the display179. The display 179 can include a liquid crystal display (LCD), organiclight emitting diode (OLED) display, touch-screen display, or other typeof display device. The processing circuitry 181 can include anapplication specific integrated circuit (ASIC) in some examples, or caninclude a programmable computing device having at least one hardwareprocessor and memory.

The client device 115 can be representative of one or more clientdevices 115. The client device 115 can include a processor-based system,such as a computer system, that can include a desktop computer, a laptopcomputer, a personal digital assistant, a cellular telephone, asmartphone, a set-top step, a music player, a tablet computer system, agame console, an electronic book reader, a smartwatch, a voice activatedsmart device, or any other device with like capability. The clientdevice 115 can have an operating system 182 that can performfunctionalities and execute applications. The operating system 182 canbe stored in a client data store 183 that also includes clientapplications 184. The client device 115 can execute the clientapplications 1849 to perform or access the functionality described forthe enterprise data service 106.

Along with the voice assistant device 118, the client device 115 can beequipped with networking capability or networking interfaces, includinga localized networking or communication capability, such as a near-fieldcommunication (NFC) capability, radio-frequency identification (RFID)read or write capability, or other localized communication capability.In some embodiments, the client device 115 is mobile where the clientdevice 115 is easily portable from one location to another, such as asmart phone, tablet, or laptop computer. In other situations, the clientdevice 115 can be a desktop machine or a kiosk at a particular location.Like the voice assistant device 118, the client device 115 can includeinterface devices that can be utilized to interact with users. Theinterface device can include, for example, audio devices 186, clientdisplays 185, and haptic devices 187.

The operating system 182 of the client device 115 can execute variousclient functionalities or client applications 184, such as a managementapplication, a browser application, a voice interaction functionality,or another application. The operating system 182 and some clientapplications 184 can access network content served up by the computingenvironment 103, or other servers and can present this information to auser on a client display 185. For example, the client device 115 canrender a user interface on the client display 185, such as a liquidcrystal display, organic light emitting diode display, touch-screendisplay, or other type of display device. The client device 115 can alsopresent audio information using the audio device 186, and can providehaptic or physical feedback using the haptic device 187.

Some client applications 184 can include a browser or a dedicatedapplication, and a user interface can include a network page, anapplication screen, or other interface. The client device 115 can alsoaccess web applications using a browser application. Further, otherclient applications 184 can include device management applications,enterprise applications, social networking applications, wordprocessors, spreadsheet applications, media player applications, orother applications.

In some examples, one of the client applications 184 can include anagent application that enrolls the client device 115 with the computingenvironment 103. The agent application can perform actions as directedby the computing environment 103, for instance, by checking in with theenterprise data service 106 or other management service of the computingenvironment 103, retrieving a command from the command queue, andimplementing the command on the client device 115. In some examples, theenterprise data service 106 can send a configuration profile to anoperating system 182 of the client device 115 that causes the agentapplication to obtain administrator privileges on the client device 115.

A user of the client device 115 can interact with the clientapplications 184 to retrieve enterprise data 130, for instance, bysending enterprise data requests 190 a, 190 b. Alternatively, if theuser interacts with the voice assistant device 118 to request enterprisedata 130, the voice assistant device 118 sends an audio-video datarequest 175 which, in turn, causes the third-party network service 112to send an enterprise data request 190 to the enterprise data service106. The computing environment 103 can send the enterprise data 130 as aservice return 193, as can be appreciated.

FIG. 2 shows an example of a user interface rendered on a display 185 ofa client device 115. In some examples, a user can access a web page or aclient application 184 on the client device 115 to set filters for termshe or she considers confidential, such as sales figures, privatemeetings, email addresses, phone numbers, and names of corporateclients. The filters defined in the user interface can be added to thedata store 140 in association with a security mode of the voiceassistant device 118, for instance, as whitelist data 143, blacklistdata 146, or security mode data 149. Based on a security mode madeactive on a voice assistant device 118, the words or associated contentmatching predefined criteria can be removed or permitted when voiceassistant device 118 audibly broadcasts the enterprise data 130.

In some examples, the user can define a multitude of security modeshaving varying policies and levels of security. For instance, a lowestsecurity mode can avoid redacting any enterprise data 130 and a highestsecurity mode can redact all enterprise data 130 matching predefinedcriteria, such as the criteria that can be established using the userinterface 200 of FIG. 2. For instance, some emails or appointmentscontaining the term “confidential” may be completely skipped. Anintermediate security mode can redact some terms or phrases whilepermitting others to be audibly broadcasted. For instance, confidentialsales numbers can be redacted, but non-confidential email items can beaudibly broadcasted.

Accordingly, different ones of the security modes can be facilitatedeither by filters created by a user or an administrator for certaindivisions within an enterprise. Thus, security modes can differ fromuser to user, and even division to division in a single organization.For example, a sales division for AlphaCo, an enterprise, might havedata loss prevention policies performed on sales contacts, activecontract, deal size, or other information, whereas the human resourcesorganization unit can have data loss prevention policies performed onparameters, such as compensation, complaints, whistle blowerinformation, and so on. In further examples, a third-party data lossprevention solution, for instance, one already deployed by anorganization, can be used to facilitate a security mode that implementsdata loss prevent as described above. For instance, a third party modecan automatically redact content using previously set filters onenterprise data 130 and other information provided by the computingenvironment 103.

In another example, explicit and/or implicit access rules can beautomatically propagated and incorporated, which can be defined in thesource of content. For instance, for email content, if an email islabeled as “Confidential,” then any user account 139 that is not in thesender and recipient list of this email is not supposed to listen to itscontent and, as such, redaction of the enterprise data 103 can occur.Similarly, shared documents can be redacted based on an author,recipient, and other information.

Turning now to FIGS. 3 and 4, different examples of a voice assistantdevice 118 are shown. The voice assistant device 118 can include onehaving a microphone 180 for receiving voice commands from a user. Thevoice assistant device 118 further includes processing circuitry 181that captures voice data through the microphone 180 and sends the voicedata for analysis by a third-party network service 112 through a networkinterface. Upon receipt, the third-party network service 112 cantranslate the voice data into text, and determine a command provided bya user from the text. For instance, if the user commands the voiceassistant device 118 to provide weather for the week, the third-partynetwork service 112 can identify the command from the audio data andquery a weather network service to obtain weather data based on alocation of the voice assistant device 118. In some examples, anaudio-to-text translation can be performed. The third-party networkservice 112 can send the weather data to the audio signal generator 114to generate an audio signal 300 that can be played back on a speaker 178of the voice assistant device 118.

In some examples, however, the third-party network service 112integrates with the enterprise data service 106 to provide enterprisedata 130 to an operator of the voice assistant device 118. For instance,the operator can connect or otherwise associate his or her enterpriseuser account 139 with the voice assistant device 118 to accessenterprise data 130, such as emails, work documents, instant messages,and other enterprise data 130. In one example, the operator can audiblystate, “Device, what's on my calendar for today?” The third-partynetwork service 112 can identify the command from the audio data andrealize that “calendar” invokes a calendar application offered by theenterprise data service 106. As such, the third-party network service112 can query the enterprise data service 106 to obtain enterprise data130, more specifically, calendar items for the current day for the useraccount 139 associated with the voice assistant device 118. Using theaudio signal generator 114, the third-party network service 112 cantranslate text and other data from the calendar items into an audiosignal that can be played back on a speaker 178 of the voice assistantdevice 118.

In some examples, however, the computing environment 103 can direct theaudio signal 300 to be generated such that at least a portion of theenterprise data 130 is audibly redacted. For instance, if the voiceassistant device 118 is in a secure mode of operation, or a highersecurity mode of operation as compared to other security modes, theenterprise data service 106 can remove or redact portions of theenterprise data 130 provided to the third-party network service 112. Theredacted portions of FIGS. 3 and 4 are denoted using “[REDACTED TONE]”and “[TONE],” where it is understood that a predetermined tone, beeping,white noise, or silence can be played in place of the redacted content.

In some examples, the enterprise data service 106 redacts the enterprisedata 130 locally on the computing environment 103. For instance, theenterprise data service 106 may remove confidential, proprietary, orother sensitive data and provide a placeholder, such as “REDACTED,” thatinstructs the audio signal generator 114 to insert a predetermined tone,white noise, static, silence, or other appropriate audio.

In alternative examples, the enterprise data service 106 provides theenterprise data 130 to the third-party service 112 without redaction,but with information on what content should be redacted. In other words,the enterprise data service 106 can instruct the third-party networkservice 112 which portions of the enterprise data 130 to remove which,in turn, instructs the audio signal generator 114 to replace the contentto be redacted with a predetermined tone, white noise, static, silence,or other appropriate audio in redacted portions of the enterprise data130.

Notably, the voice assistant device 118 shown in FIG. 3 does not includea display 179. As such, it is understood that the enterprise data 130 isprovided audibly through the speaker 178 of the voice assistant device118. Alternatively, as shown in FIG. 4, in some examples, the voiceassistant device 118 can include a display 179. In some examples, theprocessing circuitry 181 of the voice assistant device 118 shows contenton the display 179 as content is audibly being broadcasted through thespeaker 178. As can be appreciated, the content shown in the display 179can be redacted or censored, similar to the audio signal generated bythe audio signal generator 114.

While the enterprise data 130 is shown as being redacted in the display179, in alternative examples, the enterprise data 130 can be shown inthe display 179 without redaction. More specifically, the audio signal300 having the enterprise data 130 as redacted can be broadcasted;however, the

FIG. 5 shows an example of a flowchart 500 describing steps that can beperformed by the computing environment 103. Generally, the flowchart 500describes the interaction between the computing environment 103, thevoice assistant device 118, and the third-party network services 112 inthe networked environment 100 of FIG. 1.

Beginning with step 503, the computing environment 103 can connect orotherwise associate a voice assistant device 118 with a remote service,where the remote service can include the enterprise data service 106 orother remote device management service.

In some examples, to connect a voice assistant device 118 with theenterprise data service 106, a user can interact with a client device115 to provide a unique identifier or other information capable ofuniquely identifying a voice assistant device 118 as well asauthentication data 136. The authentication data can include informationassociated with an enterprise user account 139, such as a username,email, password, biometric data, or other information.

Prior to connecting the voice assistant device 118 to the remoteservice, the computing environment 103 can authenticate a user of theclient device 115 and/or voice assistant device 118. If authenticationis successfully performed using the authentication data 136, theenterprise data service 106 can connect or otherwise associate the voiceassistant device 118 with a user account 139 based on the authenticationdata 136 provided. For example, a unique identifier of the voiceassistant device 118, or other identifying information, can be stored inthe data store 140 in associated with the user account 139. Accordingly,the computing environment 103 can receive serve requests from the voiceassistant device 118 by providing request enterprise data 130 associatedwith the user account 139, such as emails, calendar items, spreadsheetdata, word processing document data, reminders, and other data as can beappreciated.

For instance, in step 506, the computing environment 103 can receive arequest for enterprise data 130 from the voice assistant device 118. Insome examples, the request can include an enterprise data request 190received directly from the voice assistant device 118 or an enterprisedata request 190 received from the third-party network service 112negotiating on behalf of the voice assistant device 118. In someexamples, the request can include a unique identifier or otheridentifying information for the voice assistant device 118 originatingthe request. As such, the computing environment 103 can identify acorresponding user account 139 from the unique identifier, and canidentify enterprise data 130 associated with the user account 139.

However, prior to sending any enterprise data 130, in step 509, thecomputing environment 103 can first determine whether the request isauthorized. In some examples, the computing environment 103 candetermine whether the device identifier is a valid device identifier,for instance, based on an arrangement of the identifier orcommunications with the third-party network service 112. For instance,if the third-party network service 112 is operated by a manufacturer ofthe voice assistant device 118, the third-party network service 112 candetermine whether the voice assistant device 118 is an authorized andsecure type of voice assistant device 118, or one permitted to accessenterprise data 130 sent from the enterprise data service 106.

Additionally, the computing environment 103 can determine whether therequest is authorized based on the user account 139 being active. Infurther examples, the computing environment 103 can determine whetherthe request is authorized based on the voice assistant device 118 and/orthe client device 115 complying with one or more predefined compliancerules. For instance, an administrator of the enterprise data service 106can deny enterprise data 130 being provided to any of the devices if oneof the devices were rooted, jailbroken, or subject to another securityvulnerability.

Referring again to step 509, if the request is not authorized, theprocess can proceed to completion and enterprise data 130 is notprovided to the voice assistant device. Alternatively, in step 509, ifthe request is authorized by the computing environment 103 and/or thethird-party network services 112, the process can proceed to step 512.

In step 512, the computing environment 103 can generate an audio and/orvideo signal for audibly broadcasting the enterprise data 130 identifiedin the request. In some examples, the computing environment 103 firstretrieves the enterprise data 130 from the data store 140, for instance,based on the user account 139. The enterprise data 130 can include anemail, a calendar item, a reminder, an instant message, a short messageservice message, a combination thereof, as well as other enterprise data130 as can be appreciated.

The audio signal 300 can include an audio file or a stream of audiocontent in some examples generated using a text-to-speech convertor.Similarly, the video signal can include a video file or stream of videocontent that displays the text of the enterprise data 130 or atranslation thereof. Alternatively, the video signal can include userinterface data, such as a web page or similar network content capable ofrendering a user interface in a display 179 of the voice assistantdevice 118.

In some examples, the computing environment 103 can generate the audioor video signally locally in the computing environment 103. Inalternative examples, the computing environment 103 can direct thethird-party network service 112, or the audio signal generator 114thereof, to generate the audio or video signal remotely from thecomputing environment 103. In alternative examples, the voice assistantdevice 118 can include a local voice signal generator and, as such, thecomputing environment 103 can direct the local audio signal generator togenerate the audio signal 300 on the voice assistant device 118.

In some examples, the enterprise data service 106 can generate the audioor video signal by redacting enterprise data 130 locally on thecomputing environment 103. For instance, the enterprise data service 106can remove confidential, proprietary, other sensitive data, orenterprise data 130 matching predefined criteria specified by a user oradministrator. The computing environment 103 can insert a placeholderinto the enterprise data 130, such as “REDACTED,” that instructs theaudio signal generator 114 to insert a predetermined tone, white noise,static, silence, or other appropriate audio.

In alternative examples, the enterprise data service 106 provides theenterprise data 130 to the third-party service 112 in a data objectwithout redaction, but with information on what content should beredacted. In other words, the enterprise data service 106 can instructthe third-party network service 112 which portions of the enterprisedata 130 to remove which, in turn, instructs the audio signal generator114 to replace the content to be redacted with a predetermined tone,white noise, static, silence, or other appropriate audio in redactedportions of the enterprise data 130. Similarly, any user interface datato be shown on the display 179 of the voice assistant device 118 can besimilar redacted, as shown in FIG. 4.

Referring again to FIG. 5, the computing environment 103 can send theaudio and/or video signal to the voice assistant device 118 for playbackand/or display of the enterprise data 130 on the voice assistant device118. For instance, assuming a user verbally commands the voice assistantdevice 118 to read latest emails, the voice assistant device 118 canaudibly broadcast, “Reading first email. The sales numbers for Q4 for2025 were [PREDFINED TONE], a [PREDFINED TONE] increase from 2024.” Whenaudibly broadcasted, a predetermined tone, beeping, white noise, orsilence can be played back in place of the “PREDEFINFED TONE”placeholder. Similarly, the content can be shown in the display 179 ofthe voice assistant device 118 as redacted, as shown in FIG. 4.

Accordingly, in step 518, the computing environment 103 can direct thevoice assistant device 118 to playback or display the audio and/or videosignal data on the voice assistant device 118, as illustrated in theexamples of FIGS. 3 and 4. In instances in which emails, appointments,or other enterprise data 130 that has been skipped or not broadcasted ordisplayed on the voice assistant device 118 can be replaced with acustom sound or similar cues. As such, when the user hears the customsound or other cue, the user will understand that confidential data hasbeen skipped. In some examples, while the enterprise data 130 has not bebroadcasted through the speaker 178, voice assistant devices 188 havinga display 179 may show redacted content in its entirety or, in otherwords, without redaction, on the display 179. In other examples, pushnotifications, text messages, or instant messages can be sent to aclient device 115 also associated with the user account 139 to displaythe enterprise data 130 without redaction while the redacted version ofthe enterprise data 130 is being broadcast by the speaker 178.Thereafter, the process can proceed to completion.

Moving on, FIG. 6 shows an example flowchart describing additional stepsthat can be performed by the computing environment 103 in performingstep 512. Beginning with step 603, in some examples, the computingenvironment 103 can identify an active security mode on the voiceassistant device 118. For instance, in some examples, if non-authorizedpersons are in a user's office, the user can instruct the voiceassistant device 118 to enter a DLP mode or other secure mode ofoperation by stating, “Please enter DLP mode.”

Notably, the computing environment 103 can maintain a multitude ofdiffering security modes in association of the voice assistant device118 or in association with a corresponding user account 139. As such,when a request for enterprise data 130 is received from a voiceassistant device 118, the computing environment 103 can identify anactive one of the security modes and can generate the audio signal 300based on the active one of the security modes.

The active one of the security modes, or policies employed by differentones of the security modes, can be determined automatically using userand device contexts in some examples. With respect to user context, insome examples, an electronic calendar entry can be analyzed to determinewhether multiple individuals are in a vicinity of a voice assistantdevice and, if so, a higher security mode of operation can be assigned.The detection of multiple individuals is described in greater detailbelow with respect to FIG. 8.

With respect to device context, in some examples, an operator of thevoice assistant device 118 can perform a vocalized command that directsthe computing environment 103 to change an active one of the securitymodes to another one of the security modes. In further examples, thecomputing environment 103 can automatically select one of the securitymodes to be active.

For instance, the computing environment 103 can set the voice assistantdevice 118 in a data leak prevention mode when multiple individuals aredetected within an audible range of the voice assistant device 118, whenan analysis of a calendar item indicates that multiple individuals maybe present, and so forth. In further examples, the computing environment103 can select one of the security modes without a verbalized command.Instead, the computing environment 103 can select one of the securitymodes based on a sensitivity of the enterprise data 130 to be audiblybroadcasted by the voice assistant device 118.

In another example, the computing environment 103 can set the voiceassistant device 118 in a data leak prevention mode when usinghuman-imperceptible sounds that send a command to the third-partynetwork services 112 or the computing environment 103. For instance, aclient device 115 can be configured to emit a human-imperceptible soundwhen a meeting has started. The voice assistant device 118 can recordthe human-imperceptible sound, which is identified by the third-partynetwork service 112 or the computing environment 103. In response, thecomputing environment 103 can set the voice assistant device 118 in adata leak prevention mode.

Next, in step 606, the computing environment 103 can redact portions ofthe enterprise data 130 (or an entire portion of the enterprise data130) based on an active security mode. As it is undesirable for thevoice assistant device 118 to audibly broadcast sensitive enterprisedata 130, in step 606, the computing environment 103 can redact certainwords, phrases, or other portion of the enterprise data 130 to bebroadcasted by the voice assistance device 118. The words, phrases, orother portion of the enterprise data 130 can be defined by a user or anadministrator of an enterprise in some examples, for example, using auser interface similar to that shown in FIG. 2. As such, in someexamples, an administrator of an enterprise, or a user, can definecertain words, phrases, regular expressions, or other content andfilters as whitelist data 143, indicating that the content is permittedto be audibly broadcasted by the voice assistant device 118.

Alternatively, in some examples, the administrator of the enterprise, orthe user, can define certain words, phrases, regular expressions, orother content and filters as blacklist data 146, indicating that thecontent is not permitted to be audibly broadcasted by the voiceassistant device. In some examples, the whitelist data 134 and/or theblacklist data 146 can include a list of keywords, clients, or otherfilters that can be used by the context-aware data generator 109 todetermine whether to permit or deny inclusion of a word, phrase, orother content based on a currently active security mode of the voiceassistant device 118.

In further examples, the computing environment 103 can determine whethera voice assistant device 118 or an associated client device 115 isconnected to headphones or an earphone. For instance, if the voiceassistant device 118 or the associated client device 115 is connected toheadphones or an earphone, the computing environment 103 can abstainfrom performing any redactions as any enterprise data 130 broadcasted isunlikely to be heard, even if multiple people are in vicinity of thevoice assistant device 118.

In another example, the computing environment 103 can determine whethera voice assistant device 118 is assigned to a cubicle, meeting room, orother public space. For instance, if the computing environment 103determines that the voice assistant device 118 is assigned to a meetingroom, a default security mode of the voice assistant device 118 caninclude a data leak prevention mode or other security mode thatautomatically performs redactions, also if a corresponding meetinginvite associated with the meeting room has multiple recipients.

In yet another example, the computing environment 103 can analyzegeneral settings of the voice assistant device 118. For example, if avolume setting of a voice assistant device 118 is above a volumethreshold, the computing environment 103 can automatically toggle thevoice assistant device 118 to enter into a data leak prevention mode orother security mode that automatically applies redactions. At this time,the voice assistant device 118 can broadcast a warning to inform a userof the change to the voice assistant device 118.

In step 609, the computing environment 103 can provide the audio signalgenerator 114 with the enterprise data 130 as redacted. In alternativeexamples, the enterprise data service 106 provides the enterprise data130 to the third-party service 112 without redaction, but withinformation on what content should be redacted. In other words, theenterprise data service 106 can instruct the third-party network service112 which portions of the enterprise data 130 to remove which, in turn,instructs the audio signal generator 114 to replace the content to beredacted with a predetermined tone, white noise, static, silence, orother appropriate audio in redacted portions of the enterprise data 130.

Finally, in step 612, the computing environment 103 can cause the audiosignal 300 to be broadcast by the voice assistant device 118 and, inturn, can direct the voice assistant device 118 to emit predeterminedaudio tones or sounds during playback of the redacted portions of theenterprise data 130. Thereafter, the process can proceed to completion.

Turning now to FIG. 7, an example of a flowchart 700 is shown thatdescribes additional steps that can be performed by the computingenvironment 103. In some examples, an operator of the voice assistantdevice 118 can perform a vocalized command that directs the computingenvironment 103 to change an active one of the security modes to anotherone of the security modes. Accordingly, in step 703, in some examples,the computing environment 103 can receive a command to change an activeone of the security modes. The command can include, for example,“Device, switch to DLP mode” or “Device, increase security please.”

Thereafter, in step 706, the computing environment 103 can change theactive one of the security modes for the voice assistant device 118, forinstance, by changing a setting store in the data store 140 inassociation with a user account 139. As can be appreciated, any requestsfor enterprise data 130 can be subject to a higher rate of reduction inthe event a level of security is increased or, in other words, when ahigher security mode is engaged. Similarly, the user can initiatecommand to lessen the level of security applied to broadcasts ofenterprise data by stating. “Device, switch to open mode” or “Device,decrease security please.” Thereafter, the process can proceed tocompletion.

Referring next to FIG. 8, an example of a flowchart 800 is shown thatdescribes additional steps that can be performed by the computingenvironment 103 to identify the present of multiple individuals and tochange a security mode automatically. Beginning with step 803, thecomputing environment 103 can capture audio to determine whethermultiple persons or individuals are present in an environment, such asan office, cubicle, or other enterprise space in which a broadcast bythe speaker 178 of the voice assistant device 118 could be heard.

As such, in step 806, the computing environment 103 can determinewhether multiple individuals are present or are in a vicinity of thevoice assistant device 118. In some examples, to detect the presence ofmultiple individuals, the computing environment 103 can be configured toanalyze audio data captured using a microphone 180 of the voiceassistant device 118. For instance, voices of individuals can bedemultiplexed using blind signal separation techniques, and differentindividuals can be identified based on a comparison of pitch, frequency,speech seed, and other signal factors. Speech having an altitude orvolume less than a predetermined threshold can be used to identifyindividuals beyond a range of a speaker 178 of the voice assistantdevice 118 using, for example, a volume or other characteristic of thevoice assistant device 118, and can be ignored for purposes ofidentifying multiple individuals.

Additionally, the computing environment 103 can detect presence ofmultiple people in a room or vicinity of the voice assistant device 118using feeds from a security camera or a camera of a client device 115 orvoice assistant device 118, proximity sensing using NFC tags, Bluetooth®beacons, information-of-things (IoT devices, and so forth. In furtherexamples, the computing environment 103 can detect presence of multipleindividuals based on locations of managed client devices 115, forinstance, using a combination of global positioning system (GPS) data,wireless fidelity (Wi-Fi) data, positioning data, and other locationparameters.

Alternatively, in examples in which the voice assistant device 118 iscapable of detecting multiple voices or people in the room, thecomputing environment 103 can change the security mode from one toanother automatically and without human intervention. In furtherexamples, the presence of multiple people can also be detected usingambient noise captured by a microphone of the client device 115(contrasted with the microphone 180 of the voice assistant device 118),for example, during a login process.

If multiple persons are not present, no change in the security mode ofoperation is warranted, and the process can proceed to completion.Alternatively, if multiple persons are identified in the vicinity of thevoice assistant device 118, the process can proceed to step 809.

In step 809, the computing environment 103 can increase the level ofsecurity from one mode to a higher security mode. As can be appreciated,the higher security mode can cause the computing environment 103 toredact additional portions of data as compared to a base level mode or anon-redacted mode. Thereafter, the process can proceed to completion.

A number of software components are stored in the memory and executableby a processor. In this respect, the term “executable” means a programfile that is in a form that can ultimately be run by the processor.Examples of executable programs can be, for example, a compiled programthat can be translated into machine code in a format that can be loadedinto a random access portion of one or more of the memory devices andrun by the processor, code that can be expressed in a format such asobject code that is capable of being loaded into a random access portionof the one or more memory devices and executed by the processor, or codethat can be interpreted by another executable program to generateinstructions in a random access portion of the memory devices to beexecuted by the processor. An executable program can be stored in anyportion or component of the memory devices including, for example,random access memory (RAM), read-only memory (ROM), hard drive,solid-state drive, USB flash drive, memory card, optical disc such ascompact disc (CD) or digital versatile disc (DVD), floppy disk, magnetictape, or other memory components.

Memory can include both volatile and nonvolatile memory and data storagecomponents. Also, a processor can represent multiple processors and/ormultiple processor cores, and the one or more memory devices canrepresent multiple memories that operate in parallel processingcircuits, respectively. Memory devices can also represent a combinationof various types of storage devices, such as RAM, mass storage devices,flash memory, or hard disk storage. In such a case, a local interfacecan be an appropriate network that facilitates communication between anytwo of the multiple processors or between any processor and any of thememory devices. The local interface can include additional systemsdesigned to coordinate this communication, including, for example,performing load balancing. The processor can be of electrical or of someother available construction.

The client devices 115 can include a display upon which a user interfacegenerated by a client application 184, enterprise data service 106, oranother application can be rendered. In some examples, the userinterface can be generated with user interface data provided by thecomputing environment 103. The client devices 115 can also include oneor more input/output devices that can include, for example, a capacitivetouchscreen or other type of touch input device, fingerprint reader, orkeyboard.

Although the workflow service 120, client applications 184, and othervarious services and functions described can be embodied in software orcode executed by general purpose hardware as discussed above, as analternative the same can also be embodied in dedicated hardware or acombination of software/general purpose hardware and dedicated hardware.If embodied in dedicated hardware, each can be implemented as a circuitor state machine that employs any one of or a combination oftechnologies. These technologies can include discrete logic circuitshaving logic gates for implementing various logic functions upon anapplication of one or more data signals, application specific integratedcircuits having appropriate logic gates, field-programmable gate arrays(FPGAs), or other components.

The flowcharts show an example of the functionality and operation of animplementation of portions of components described. If embodied insoftware, each block can represent a module, segment, or portion of codethat can include program instructions to implement the specified logicalfunction(s). The program instructions can be embodied in the form ofsource code that can include human-readable statements written in aprogramming language or machine code that can include numericalinstructions recognizable by a suitable execution system such as aprocessor in a computer system or other system. The machine code can beconverted from the source code. If embodied in hardware, each block canrepresent a circuit or a number of interconnected circuits to implementthe specified logical function(s).

Although the flowcharts show a specific order of execution, it isunderstood that the order of execution can differ from that which isdepicted. For example, the order of execution of two or more blocks canbe scrambled relative to the order shown. Also, two or more blocks shownin succession can be executed concurrently or with partial concurrence.Further, in some embodiments, one or more of the blocks shown in thedrawings can be skipped or omitted.

Also, any logic or application described that includes software or codecan be embodied in any non-transitory computer-readable medium for useby or in connection with an instruction execution system such as aprocessor in a computer system or other system. In this sense, the logiccan include, for example, statements including instructions anddeclarations that can be fetched from the computer-readable medium andexecuted by the instruction execution system. In the context of thepresent disclosure, a “computer-readable medium” can be any medium thatcan contain, store, or maintain the logic or application described foruse by or in connection with the instruction execution system. Thecomputer-readable medium can include any one of many physical media,such as magnetic, optical, or semiconductor media. Examples of asuitable computer-readable medium include solid-state drives or flashmemory. Further, any logic or application described can be implementedand structured in a variety of ways. For example, one or moreapplications can be implemented as modules or components of a singleapplication. Further, one or more applications described can be executedin shared or separate computing devices or a combination thereof. Forexample, a plurality of the applications described can execute in thesame computing device, or in multiple computing devices.

It is emphasized that the above-described embodiments of the presentdisclosure are merely possible examples of implementations described fora clear understanding of the principles of the disclosure. Manyvariations and modifications can be made to the above-describedembodiments without departing substantially from the spirit andprinciples of the disclosure. All such modifications and variations areintended to be included within the scope of this disclosure.

What is claimed is:
 1. A system, comprising: at least one computingdevice; and program instructions stored in memory and executable by theat least one computing device that, when executed, direct the at leastone computing device to: connect a voice assistant device to a remoteservice that provides enterprise data to be audibly emitted by the voiceassistant device; in response to a request for the enterprise data beingreceived from the voice assistant device, generate an audio signal thataudibly broadcasts the enterprise data, wherein at least a portion ofthe audio signal is generated to audibly redact at least a portion ofthe enterprise data based at least in part on a mode of operation of thevoice assistant device; and direct the voice assistant device to emitthe enterprise data through a playback of the audio signal.
 2. Thesystem of claim 1, wherein the at least one computing device is furtherdirected to: maintain, in association with the voice assistant device, aplurality of security modes, the mode of operation of the voiceassistant device being one of the security modes, wherein individualones of the security modes are different from one another; and inresponse to a request for the enterprise data being received from thevoice assistant device, identify an active one of the plurality ofsecurity modes, wherein the audio signal is generated based at least inpart on the active one of the plurality of security modes.
 3. The systemof claim 1, wherein the at least one computing device is furtherdirected to: receive a request to change the active one of the securitymodes to another one of the security modes based at least in part on averbalized command received from the voice assistant device.
 4. Thesystem of claim 1, wherein the at least one computing device is furtherdirected to: adjust the active one of the security modes to another oneof the security modes without a verbalized command based at least inpart on a sensitivity of at least a portion of the enterprise data. 5.The system of claim 2, wherein: the active one of the security modes isenabled based at least in part on: multiple individuals being detectedwithin an audible range of the voice assistant device or an analysis ofa calendar item indicating that multiple individuals are present.
 6. Thesystem of claim 1, wherein the enterprise data comprises at least oneof: an email; a calendar item; a reminder; an instant message; and ashort message service (SMS) message.
 7. The system of claim 1, whereinthe portion of the enterprise data is modified by: replacing the portionof the enterprise data with a predetermined audio tone; replacing theportion of the enterprise data with static sound; or replacing theportion of the enterprise data with silence.
 8. A non-transitorycomputer-readable medium comprising machine-readable instructions,wherein the machine-readable instructions, when executed by at least oneprocessor, direct the at least one computing device to at least: connecta voice assistant device to a remote service that provides enterprisedata to be audibly emitted by the voice assistant device; in response toa request for the enterprise data being received from the voiceassistant device, generate an audio signal that audibly broadcasts theenterprise data, wherein at least a portion of the audio signal isgenerated to audibly redact at least a portion of the enterprise databased at least in part on a mode of operation of the voice assistantdevice; and direct the voice assistant device to emit the enterprisedata through a playback of the audio signal.
 9. The non-transitorycomputer-readable medium of claim 8, wherein the at least one computingdevice is further directed to: maintain, in association with the voiceassistant device, a plurality of security modes, the mode of operationof the voice assistant device being one of the security modes, whereinindividual ones of the security modes are different from one another;and in response to a request for the enterprise data being received fromthe voice assistant device, identify an active one of the plurality ofsecurity modes, wherein the audio signal is generated based at least inpart on the active one of the plurality of security modes.
 10. Thenon-transitory computer-readable medium of claim 8, wherein the at leastone computing device is further directed to: receive a request to changethe active one of the security modes to another one of the securitymodes based at least in part on a verbalized command received from thevoice assistant device.
 11. The non-transitory computer-readable mediumof claim 8, wherein the at least one computing device is furtherdirected to: adjust the active one of the security modes to another oneof the security modes without a verbalized command based at least inpart on a sensitivity of at least a portion of the enterprise data. 12.The non-transitory computer-readable medium of claim 9, wherein: theactive one of the security modes is enabled based at least in part on:multiple individuals being detected within an audible range of the voiceassistant device or an analysis of a calendar item indicating thatmultiple individuals are present.
 13. The non-transitorycomputer-readable medium of claim 8, wherein the enterprise datacomprises at least one of: an email; a reminder; a calendar item; aninstant message; and a short message service (SMS) message.
 14. Thenon-transitory computer-readable medium of claim 8, wherein the portionof the enterprise data is modified by: replacing the portion of theenterprise data with a predetermined audio tone; replacing the portionof the enterprise data with static sound; or replacing the portion ofthe enterprise data with silence.
 15. A method, comprising: connecting avoice assistant device to a remote service that provides enterprise datato be audibly emitted by the voice assistant device; in response to arequest for the enterprise data being received from the voice assistantdevice, generating an audio signal that audibly broadcasts theenterprise data, wherein at least a portion of the audio signal isgenerated to audibly redact at least a portion of the enterprise databased at least in part on a mode of operation of the voice assistantdevice; and directing the voice assistant device to emit the enterprisedata through a playback of the audio signal.
 16. The method of claim 15,further comprising: maintaining, in association with the voice assistantdevice, a plurality of security modes, the mode of operation of thevoice assistant device being one of the security modes, whereinindividual ones of the security modes are different from one another;and in response to a request for the enterprise data being received fromthe voice assistant device, identifying an active one of the pluralityof security modes, wherein the audio signal is generated based at leastin part on the active one of the plurality of security modes.
 17. Themethod of claim 15, further comprising: receiving a request to changethe active one of the security modes to another one of the securitymodes based at least in part on a verbalized command received from thevoice assistant device.
 18. The method of claim 15, further comprising:adjusting the active one of the security modes to another one of thesecurity modes without a verbalized command based at least in part on asensitivity of at least a portion of the enterprise data.
 19. The methodof claim 16, wherein: the active one of the security modes is enabledbased at least in part on: multiple individuals being detected within anaudible range of the voice assistant device or an analysis of a calendaritem indicating that multiple individuals are present.
 20. Thenon-transitory computer-readable medium of claim 8, wherein: theenterprise data comprises at least one of: an email; a reminder; acalendar item; an instant message; and a short message service (SMS)message; and the portion of the enterprise data is modified by:replacing the portion of the enterprise data with a predetermined audiotone; replacing the portion of the enterprise data with static sound; orreplacing the portion of the enterprise data with silence.